10-20-2005 09:41 AM - edited 03-09-2019 12:46 PM
Setup: Static NAT for smtp a/v box in dmz is filtering mail in/out bound.
Need to keep inbound NATing to smpt a/v box, but outbound smtp needs to NATed directly from the email servers to the same Public MX record . Thanks
10-20-2005 10:11 AM
Have you tried to use a static NAT ?
10-20-2005 10:25 AM
I dont think this is possible, please correct me if I am wrong.
The Mail server should relay back to the AV Mail Relay in the DMZ to send the Emails and not directly send Emails to the Internet, in this setup the Email is also scanned outbound.
example:
access-list outside permit tcp any host Mail-MX eq smtp
access-group outside in interface outside
static (dmz,outside) Mail-MX-PubIP AV-Relay-DMZ-IP netmask 255.255.255.255
static (inside,dmz) InsideNetwork InsideNetwork netmask 255.255.255.0 0 0
access-list dmz .... (All other service that have outbound connections)
access-list dmz permit tcp host AV-Relay-DMZ-IP host MailServer-Internal-IP eq smtp
access-group dmz in interface dmz
The Inside Email Server connects to the DMZ Private IP of the Email Relay.
sincerely
Patrick
10-21-2005 03:29 AM
Correct this is how it is currently configured, however the server crew would like to only scan inbound smtp traffic and send outbound traffic driectly to thru the firewall. Is it possible to have inbound NAT NAT to box A and outbound NAT from Box B using the same NATing address?
10-21-2005 03:42 AM
You can try this example.
a/v box = 172.16.2.2
public ip = x.x.x.x
inside mail server = y.y.y.y
static (outside,dmz) tcp x.x.x.x 25 172.16.2.2 25
nat (inside) 1 y.y.y.y // for mail servers
global (outside ) 1 x.x.x.x
nat (inside) 2 y.y.0.0 //for the rest of the traffic
global (outside) 2
the catch here is that the nat for the mail servers should be before the nat statement for the mail servers
10-21-2005 04:28 AM
The goal is to use the same public ip but nat in traffic to the a/v box and outbound traffic (email server) from a different box/ip address. Some security devices will not except smtp from different ip address. Is this possible?
10-21-2005 09:14 AM
That is what is happening in the above example. we are natting the inbound traffic to a/v box. and not natting the outbound traffic to the same ip address. If you see i have used the same ip address for global. Please see I am not using one to one static nat for a/v box.
10-21-2005 08:02 PM
Hi,
sorry for my vocab in the last conversation. I was able to understand ur problem that few mailing servers would do a reverse lookup for incoming mail and if the ip address doesnot match the registered one would reject the mail. If you look at the solution provided we are taking care of the same thing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide